IAB Europe is fined EUR250,000 as DPA rules against adtech consent tool

The TCF, which was developed by IAB (an adtech trade body for interactive advertising), is a widely used mechanism which manages individual users' preferences relating to targeted online advertising. It forms an important part of many organisations' adtech ecosystems. It captures user preferences through a pop-up interface, within which the individual user is asked to consent to the processing (collection and sharing) of their personal data. These preferences are turned into a code which, alongside cookies placed onto the user’s device, can render that user identifiable (e.g. when combined with their IP address). The TCF can also be used to enable users to object to certain processing activities based on the legitimate interests of ad tech vendors.

The Belgian DPA found that IAB acts as a data controller with respect to the registration, as part of the TCF, of individual users’ consent, objections and preferences via unique transparency and consent strings, linked to an identifiable user. Subsequently, the Belgian DPA held IAB responsible for violations of the GDPR, with focus on the following infringements: 

• lawfulness: a failure to establish lawful processing grounds;
• transparency: insufficient information provided to individuals (being ''too generic and vague'');
• accountability, security and privacy by design: an absence of technical and organisational GDPR compliance measures; and
• breaches of various controller obligations: such as appointing a data protection officer, maintaining records of processing and conducting data protection impact assessments.

The decision clarifies and reaffirms the Belgian DPA’s position on the categorisation of an entity as a data controller, confirming, among others, that: 

• access to personal data is not required in order for an organisation to be a data controller over that information (particularly where, as in this case, that organisation ''plays a decisive role with regards to the collection, processing and dissemination of users’ preferences, consents and objections''); and
• the role of the data controller should be given a broad interpretation, in order to place the responsibility for data protection on the entity that actually – in practice – exercises control over the data processing. 

The Belgian DPA has imposed a fine of EUR 250,000 and ordered IAB Europe to undertake corrective measures, within six months, including:

• a requirement to establish a valid legal basis for processing and sharing user preferences within the context of TCF;
• prohibiting the use of legitimate interest as a basis for personal data processing by organisations participating in TCF; and
• a requirement for IAB to “maintain a strict audit” of organisations that join TCF to ensure that they meet GDPR requirements. 

In this investigation, the Belgian DPA acted as a lead supervisory authority and its draft decision was subject to cooperation procedure under the GDPR’s one-stop-shop mechanism. The supervisory authorities of more than 20 EU member states acted as supervisory authorities concerned and considered the findings of the Belgian DPA before the decision was finalised. 

The decision is subject to appeal. The IAB clarified that while it is considering its options with respect to challenging the decision, it will work with the Belgian DPA on an action plan to ensure the continuous use of the TCF. It also issued, on 9 February 2022, a detailed FAQs document addressing the practical aspects of the Belgian DPA’s decision.

In the aftermath of this decision, the mass media quoted the supervisory of the Netherlands (Dutch DPA) to state that organisations using the TCF adtech framework violate the GDPR and should seek alternatives that are not based on user tracking, such as contextual advertising.

Read the press release 'The BE DPA to restore order to the online advertising industry: IAB Europe held responsible for a mechanism that infringes the GDPR', and the full decision of the Belgian DPA’s Litigation Chamber. The press release of IAB is available here and a FAQs of 9 February 2022 here. Read the publication quoting the Dutch DPA  (only in Dutch).

This blog was prepared together with aosphere and also appears on Rulefinder Data Privacy.